[ntp:questions] Re: restrict in ntpdc

Nagy Bela belus at petra.hos.u-szeged.hu
Wed Nov 3 08:41:14 UTC 2004


First, thanks for your help.

> Before you start setting your ntpd restrictions you need to consider a
> few points...
> 
> * About "nomodify" -- By default ntpd requires authentication with
> symmetric keys for modifications made with ntpdc. So if you don't
> configure symmetric keys for your ntpd, or keep them properly
> safeguarded, you don't need to use 'nomodify' unless you are concerned
> that the NTP authentication scheme might be compromised.
> 
> * About "noquery" -- The ntpd status query features provided by
> ntpq/ntpdc will reveal some information about the system running ntpd
> (e.g. OS version, ntpd version) that you many not wish other to know.
> You need to decide if concealing this information is more important than
> allowing your clients outweighs the possible benefits of allowing your
> clients to see synchronization information about your ntpd.
> 
> * About "notrust" -- This option tells ntpd to ignore all packets which
> are not crytographically authenticated (note that this is a change from
> ntp-4.1.x). DO NOT use "notrust" unless ntp crypto (i.e. symmetric keys
> or autokey) has been properly configured on "both ends" of an ntp
> association (e.g. your ntpd and a remote time server, your ntpd and a
> client).
> 
> * Keep in mind that tighter default restrictions require additional
> configuration for authorized time-server/peers and client hosts/subnets.
> And you _must_ use IP addresses on your restrict lines.
> 
> ...and ask yourself a few questions:
> 
> 1. Are incoming connections to your ntpd blocked by NAT or a stateful
> inspection firewall?
> 
> --> If the answer is "Yes", skip to question #4.
No. I myself manage the firewall (netfilter)
and the udp port 123 is allowed for both direction.


> 2. If your ntpd is publically accessible, do you really need to block
> all connections from unauthorized hosts?
> 
> --> If the answer is "No", skip to question #3.
> 
> --> If the answer is "Yes" use the following default restriction (and keep
> in mind that you will have to add restrict lines for every authorized
> server and client host/subnet):
> 
> 	restrict default ignore
Yes, since this computer is connected to the net with a slow modem (56k)
and for others it is more advantageous to use other ntp servers
(with more accurate clock).


> 4. How much protection do you need from clients on your internal
> network?
> 
> --> If feel that you need to protect your ntpd from the hosts on your
> LAN you may wish to consider the following default restrictions:
> 
> 	restrict default kod nomodify notrap nopeer
I have no clients, only one computer on which ntpd is running.

> In this case you need to repeat the following two lines for each remote
> time server. You may use either a hostname or IP address on the server
> line. You _must_ use an IP address on the restrict line.
> 
> server x.y.z.w
> restrict x.y.z.w
(restrict with no other parameters?)

> If you are using a dial-up you need to seriously reconsider your default
> restrictions.
> 
> Assuming that you're talking about the ntpd running on the dial-up
> system... Just list the remote time servers in your /etc/ntp.conf and
> use /etc/ppp/ip-up to restart ntpd. Your ntpd will sync to a remote time
> server in ~15.30 seconds if you use the 'iburst' option on the server
> lines in your /etc/ntp.conf.
I heard the using iburst without prior permission is highly unfriendly.
And I dont have permissions.

> You must use IP addresses when you set restrictions in ntp.conf or with
> ntpdc.
Ok, thanks. I use it with ntpdc -n -p to get the IPs.





More information about the questions mailing list